216.73.217.176

Cyberhaven’s preliminary analysis of the recent malicious Chrome extension

· Published 02/01/2025 15:28 · Modified 02/01/2025 15:31

Export JSON

Essential information

Published
02/01/2025 15:28
Modified
02/01/2025 15:31
Tags
2025-01-02 chrome extension command and control data exfiltration facebook ads oauth phishing
Related entities
5 observables, 8 techniques (mitre)

Description

A attack on December 24th, 2024 compromised a Cyberhaven employee's access to the Google Chrome Web Store, leading to the publication of a malicious version of their . This was part of a larger campaign targeting developers, primarily aiming at accounts. The attack involved a email and a malicious Google application. The malicious extension collected user data from Facebook.com, including access tokens, user IDs, account information, and ad account details. The data was then exfiltrated to a server. The attack appears to be non-targeted and part of a wider campaign affecting multiple companies.

External references